Consider this scenario: A company receives a subpoena for documents from the U.S. government or a U.S.-based regulator, but is concerned because some of its documents are hosted on a server in a foreign country with restrictive personal data protections. How should attorneys advise this company to comply with the subpoena without violating foreign data privacy laws?

Any person in this situation must understand the potential conflicts between the broad extraterritorial discovery sanctioned by U.S. courts, and the strict limitations on the processing and transferring of personal data in the European Union (EU) and other foreign countries. For example, the EU’s General Data Protection Regulation (GDPR) governs, and severely restricts, the collection and disclosure of personal data in the 28 EU member states, plus Iceland, Norway, and Liechtenstein. (The GDPR broadly defines “personal data” as “any information relating to an identified or identifiable natural person.” GDPR, Regulation (EU) 2016/679, Article 4:1.)

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]